Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
The Risk of Using Browser Autofill

The Risk of Using Browser Autofill

By István F.István F. Verified by Adam B.Adam B. Last updated: December 12, 2024 (1)
Table of contents

Web browsers have a problematic feature that, rather unfortunately, we all love to use: autofill. Whenever you create an account on a website, the browser’s in-built password manager feature called autofill offers to save the credentials (or any credit card data if applicable) so that next time you visit the site it will automatically fill in the required fields, requiring you just press the enter key to log in.

But the price of this convenience is high risk to security. Research released through Princeton’s Center for Information Technology Policy reveals how browsers’ built-in password managers fail to protect user data and in fact give it away to online advertising and data tracking firms.

At the heart of the problem is the convenient autofill feature. While it streamlines the login process, it falls prey to third-party scripts that harvest email addresses and, if used for malicious purposes, will also leak passwords.

A security flaw no one talks about

The fact is that this isn’t a new security flaw. The security community has been aware of it for the past decade and it hasn’t stopped being a topic of discussion since, but this research is the first to publicly disclose the root cause of this security vulnerability that allows hackers to easily harvest your credentials.

Actually, David Silver, Suman Jana, and Dan Boneh from Stanford University, as well as Eric Chen and Collin Jackson from the Carnegie Mellon University, each conducted a number of theoretical attacks on the leading browsers’ built-in password managers and password management services’ autofill features. What they discovered was quite alarming: these services follow very different and inconsistent autofill policies.

The researchers demonstrated how a malicious attack can be successful in an ‘evil coffee shop’ because of the autofill policy. They also demonstrated how password managers can prevent these malicious attacks by never autofilling in certain conditions and requiring manual user interaction before the software automatically enters any password.

Why is this still possible?

All popular browsers have their own built-in password managers that save and fill usernames and passwords to streamline the login process. In general, the login form doesn’t require any user interaction, with some of the major web browsers filling in the credentials automatically regardless of how visible to the user that form is.

As a result, third-party scripts can easily abuse this browser feature to retrieve the saved credentials simply by creating a form with the username and password field, hide it on the legitimate page, and the browser autofill will do the rest by automatically entering the stored data into the required fields.

This isn’t a new flaw and unfortunately it will stick around for some while, because from the browser’s perspective there is no flaw. Everything is working as it was designed to do. Here is why.

The web application security model relies on something called Same-Origin Policy. Under this rule, the web browser allows scripts contained in an initial web page to access data in a second web page if they have the same origin, aka domain or website. So, if a web-based service provider embeds a third-party script on its site instead of isolating it in an iframe (an inline frame is used to embed another document within the current HTML document), then the web browser will treat the script as though it is coming from the publisher (web service provider). As a result, nothing can stand in the way of a hacker extracting the credentials automatically filled in by the browser’s password manager.

What can you do to protect yourself?

The easiest way to protect yourself is to disable autofill in any browser you use. Actually, if you use a password management service – which we highly recommend – then they will instruct you on how to disable the browser autofill. It’s important to complete this step, because password management services will help you to address this serious security flaw by first verifying the authenticity of the website that you are trying to log in to, and then require your input to fill in the credentials before safely logging in.


Best password managers of 2025

Editors' choice
RoboForm logo
Editor's rating:
(4.5)
Effective security center
Passkey compatibility
Intuitive and organized interface
Affordable prices
Families
LastPass logo
Editor's rating:
(4)
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses
1Password logo
Editor's rating:
(4)
End-to-end encryption
Secure authentication method
Data breach alarms
One-time password support
Security features
Keeper logo
Editor's rating:
(4.5)
Robust security
Wide range of platform support
Affordable
Great customer support
Personal use
NordPass Personal logo
Editor's rating:
(4.5)
Strong security features
Effective password generator
Excellent free version
Attractive price
Password sharing
Dashlane logo
Editor's rating:
(4)
Password changer
Built-in VPN
Flawless data import
Thorough iOS/Android app
Local storage
Enpass logo
Editor's rating:
(4)
Packed with features
Free for desktop users
Offline password manager
End-to-end encryption

User feedback

  1. My God it’s stupefyingly easy to throttle login attempts rendering this article virtual useless.

 Leave a reply

Your email address will not be published. Required fields are marked *


Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2025 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us